path: root/scripts/generate-testrepo.pl

# $Id$

# Hack to generate a small test repository for testing Apache + OpenSSL + RPKI

use strict;

my %resources;
my %parent;
my @ordering;
my %hashes;

my $openssl	= "../../openssl/openssl-0.9.8g/apps/openssl";
my $subdir	= "apacheca";
my $passwd	= "fnord";
my $keybits	= 2048;
my $verbose	= 0;
my $debug	= 1;
my $revoke	= 0;

sub openssl {
    print(STDERR join(" ", qw(+ openssl), @_), "\n")
	if ($debug);
    !system($openssl, @_)
	or die("openssl @_ returned $?\n");
}

# Ok, this is a bit complicated, but the idea is to let us specify the
# resources we're giving to each leaf entity and let the program do
# the work of figuring out what resources each issuers need to have,
# the order in which we need to generate the certificates, which
# certificates need to sign which other certificates, etcetera.
#
# This would be much easier to read in a sane language (eg, Scheme).

{
    my @ctx;
    my $loop ;
    $loop= sub {
	my $x = shift;
	if (ref($x) eq "HASH") {
	    while (my ($k, $v) = each(%$x)) {
		$parent{$k} = $ctx[@ctx - 1];
		push(@ordering, $k);
		push(@ctx, $k); $loop->($v); pop(@ctx);
	    }
	} else {
	    for my $c (@ctx) { push(@{$resources{$c}}, @$x) }
	}
    };
    $loop->({
	RIR => {
	    LIR1 => {
		ISP1 => [IPv4 => "192.0.2.1-192.0.2.33", AS => "64533"],
		ISP2 => [IPv4 => "192.0.2.44-192.0.2.100"],
	    },
	    LIR2 => {
		ISP3 => [IPv6 => "2001:db8::44-2001:db8::100"],
		ISP4 => [IPv6 => "2001:db8::10:0:44", AS => "64544"],
	    },
	},
    });
}

# Put this stuff into a subdirectory

mkdir($subdir) unless (-d $subdir);
chdir($subdir) or die;

# Generate configurations for each entity.

while (my ($entity, $resources) = each(%resources)) {
    my %r;
    print($entity, ":\n")
	if ($verbose);
    for (my $i = 0; $i < @$resources; $i += 2) {
	printf("  %4s: %s\n", $resources->[$i], $resources->[$i+1])
	    if ($verbose);
	push(@{$r{$resources->[$i]}}, $resources->[$i+1]);
    }
    open(F, ">${entity}.cnf") or die;
    print(F <<EOF);

	[ ca ]
	default_ca = ca_default

	[ ca_default ]

	certificate = ${entity}.cer
	serial = ${entity}/serial
	private_key = ${entity}.key
	database = ${entity}/index
	new_certs_dir = ${entity}
	name_opt = ca_default
	cert_opt = ca_default
	default_days = 365
	default_crl_days = 30
	default_md = sha1
	preserve = no
	copy_extensions = copy
	policy = ca_policy_anything
	unique_subject = no

	[ ca_policy_anything ]
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional
	givenName = optional
	surname = optional

	[ req ]
	default_bits = $keybits
	encrypt_key = no
	distinguished_name = req_dn
	x509_extensions = req_x509_ext
	prompt = no

	[ req_dn ]

	CN = TEST ENTITY $entity

	[ req_x509_ext ]

	basicConstraints = critical,CA:true
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid
	keyUsage = critical,keyCertSign,cRLSign
	subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/

EOF

    print(F <<EOF) if ($parent{$entity});

	authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/$parent{$entity}.cer

EOF

    print(F <<EOF) if ($r{AS} || $r{RDI});

	sbgp-autonomousSysNum = critical,\@asid_ext

EOF

    print(F <<EOF) if ($r{IPv4} || $r{IPv6});

	sbgp-ipAddrBlock = critical,\@addr_ext

EOF

    print(F <<EOF);

	[ asid_ext ]

EOF

    for my $n (qw(AS RDI)) {
	my $i = 0;
	for my $a (@{$r{$n}}) {
	    print(F "\t", $n, ".", $i++, " = ", $a, "\n");
	}
    }

    print(F <<EOF);


	[ addr_ext ]

EOF

    for my $n (qw(IPv4 IPv6)) {
	my $i = 0;
	for my $a (@{$r{$n}}) {
	    print(F "\t", $n, ".", $i++, " = ", $a, "\n");
	}
    }
    close(F);
}

# Revoke old certificates, maybe.

if ($revoke) {
    for my $cert (glob("*/*.pem")) {
	my $conf = (split("/", $cert))[0] . ".cnf";
	openssl("ca", "-verbose", "-config", $conf, "-revoke", $cert);
	unlink($cert);
    }
}

# Run OpenSSL to create the keys and certificates.  We generate keys
# separately to avoid wasting /dev/random bits if we need to change
# the configuration.

for my $entity (@ordering) {
    openssl("genrsa", "-out", "${entity}.key", $keybits)
	unless (-f "${entity}.key");
    openssl("req", "-new", "-config", "${entity}.cnf", "-key", "${entity}.key", "-out", "${entity}.req");

    mkdir($entity)
	unless (-d $entity);
    if (!-f "${entity}/index") {
	open(F, ">${entity}/index") or die;
	close(F);
    }
    if (!-f "${entity}/serial") {
	open(F, ">${entity}/serial") or die;
	print(F "01\n") or die;
	close(F);
    }

    openssl("ca", "-batch", "-verbose", "-out", "${entity}.cer", "-in", "${entity}.req",
	    "-extensions", "req_x509_ext", "-extfile", "${entity}.cnf",
	    ($parent{$entity}
	     ? ("-config", "${parent{$entity}}.cnf")
	     : ("-config", "${entity}.cnf", "-selfsign")));
}

# Generate CRLs

for my $entity (@ordering) {
    openssl("ca", "-batch", "-verbose", "-out", "${entity}.crl", 
	    "-config", "${entity}.cnf", "-gencrl");
}

# Generate EE certs

for my $parent (@ordering) {
    my $entity = "${parent}-EE";
    open(F, ">${entity}.cnf") or die;
    print(F <<EOF);

	[ req ]
	default_bits = $keybits
	encrypt_key = no
	distinguished_name = req_dn
	x509_extensions = req_x509_ext
	prompt = no

	[ req_dn ]

	CN = TEST ENDPOINT ENTITY ${entity}

	[ req_x509_ext ]

	basicConstraints = critical,CA:false
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid
	subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://wombats-r-us.hactrn.net/
	authorityInfoAccess = caIssuers;URI:rsync://wombats-r-us.hactrn.net/$parent.cer

EOF

    close(F);
    openssl("genrsa", "-out", "${entity}.key", $keybits)
	unless (-f "${entity}.key");
    openssl("req", "-new", "-config", "${entity}.cnf", "-key", "${entity}.key", "-out", "${entity}.req");

    mkdir($entity)
	unless (-d $entity);
    if (!-f "${entity}/index") {
	open(F, ">${entity}/index") or die;
	close(F);
    }
    if (!-f "${entity}/serial") {
	open(F, ">${entity}/serial") or die;
	print(F "01\n") or die;
	close(F);
    }

    openssl("ca", "-batch", "-verbose", "-config", "${parent}.cnf",
	    "-extensions", "req_x509_ext", "-extfile", "${entity}.cnf",
	    "-out", "${entity}.cer", "-in", "${entity}.req");
}

# Generate hashes

for my $cert (map({("$_.cer", "$_-EE.cer")} @ordering)) {
    my $hash = `$openssl x509 -noout -hash -in $cert`;
    chomp($hash);
    $hash .= ".";
    $hash .= (0 + $hashes{$hash}++);
    unlink($hash) if (-l $hash);
    symlink($cert, $hash)
	or die("Couldn't link $hash to $cert: $!\n");
}

for my $crl (map({"$_.crl"} @ordering)) {
    my $hash = `$openssl crl -noout -hash -in $crl`;
    chomp($hash);
    $hash .= ".r";
    $hash .= (0 + $hashes{$hash}++);
    unlink($hash) if (-l $hash);
    symlink($crl, $hash)
	or die("Couldn't link $hash to $crl: $!\n");
}

# Generate PKCS12 forms of EE certificates
# -chain argument to pkcs12 requires certificate store, which we configure via an environment variable

$ENV{SSL_CERT_DIR} = do { my $pwd = `pwd`; chomp($pwd); $pwd; };

for my $ee (map({"$_-EE"} @ordering)) {
    my @cmd = ("pkcs12", "-export", "-in", "$ee.cer",  "-inkey", "$ee.key", "-password", "pass:$passwd");
    openssl(@cmd, "-out", "$ee.p12");
    openssl(@cmd, "-out", "$ee.chain.p12", "-chain");
}

# Finally, generate an unrelated self-signed certificate for the server

my $hostname = `hostname`;
chomp($hostname);
open(F, ">server.cnf") or die;
print(F <<EOF);

	[ req ]
	default_bits = $keybits
	encrypt_key = no
	distinguished_name = req_dn
	prompt = no

	[ req_dn ]

	CN = $hostname

EOF

close(F);
openssl(qw(genrsa -out server.key), $keybits)
    unless (-f "server.key");
openssl(qw(req -new -config server.cnf -key server.key -out server.req));
openssl(qw(x509 -req -CAcreateserial -in server.req -out server.cer -signkey server.key));

# Local Variables:
# compile-command: "perl generate-testrepo.pl"
# End: